ACC97: Understanding the Role of Workgroup Information Files in Access Security

This article explains the role and relationship of the workgroup information file (MDW) in Microsoft Access security.

When you install Microsoft Access and open a database for the first time, a new file named System.mdw is created in the Windows\System folder. This file is the default workgroup information file.

The workgroup information file is a required component when you use a Microsoft Access database (MDB). This file is required for both a run-time installation and a full installation of Microsoft Access. This file is an important component of Microsoft Access security.

If you develop database applications, it is important that you have a good understanding of the workgroup information file. It is a good idea to reserve the last phase of the development process for applying security in Access. Until then, you can develop the database application in an unsecured database.

IMPORTANT: If you establish Access security in a database, Microsoft recommends that you have a backup or copy of the workgroup information file in a safe location. If the file is lost or damaged or otherwise becomes useless, the only way to recover the file quickly is to have a copy of the file. Otherwise, the database administrator would have to try to re-create the User Accounts exactly as they were initially. This is a risky situation. If the workgroup information file is not created exactly as the original, the file will not work with the database. This will prevent the successful use of the database for its designed purpose. In most cases, a current backup of the database file is the only sure way to recover the file.

Access uses the workgroup information file even when the database has not been secured. The file uses the default Admin user account. The Admin user account does not have a password at that point, and therefore it does not trigger a logon prompt.

For additional information about securing a Microsoft Access database, click the article number below to view the article in the Microsoft Knowledge Base: Access security is based on a hierarchy of Groups, Users and Database objects (forms, reports, queries, and so on).

Groups and Users

Groups are collections of users who typically, but not always, have the same "role" and reason for working in the database. Some users will have more latitude and some will have less latitude in the database. To administer users of varying scope, Microsoft recommends that they be placed into separate groups based on their needs.

Users are individuals who will actually use either all or part of the database. A User can belong to more than one group. In Access security, one key concept to remember is this. If any user is a member of two or more Groups in the database and security has been established on the groups, that user will have the most liberal permissions between or among all the groups they are a member of.

The workgroup information file is used to store the User and Group information. Each user account is created with a user logon, a password, and a Personal ID. Each Group is created with a group name and Workgroup ID. That information is stored in the workgroup information file.

If the database administrator creates groups to cluster users who work in the same capacity, it is far easier to assign permissions at the group level than to try to administer individual user accounts that have the exact same set of permissions over the whole company. If the permissions are assigned to the group, they will extend to each member of that group. Therefore, the database administrator can easily set up a new user account, assign them to the proper group, and that user is ready to proceed immediately. The group permissions will govern their activities automatically.

Database Objects

All Database Objects have an Owner and a series of permissions that must be determined at the Group or individual User level.

Permissions

With permissions, the user can open objects and modify objects or the data retained by the objects. With the correct set of permissions, any user belonging to a group can perform tasks without hindrance and without compromising the security of the application or the underlying data. NOTE: It is not a good idea to allow users to make design changes in a production database. Microsoft recommends that design changes are made only to the developer's copy of the database.

Permissions and the Ownership of database objects are stored in the database file itself. Because permissions and ownership properties always refer to specific user and group accounts that are stored in the MDW file used to secure it, a secured application must always be opened by using the specific workgroup information file it was secured with.

One exception to this involves the default Admin user. The Admin user is the same across all workgroups and cannot be deleted. This design is what enables moving an unsecured Access file from one computer to another without having to also move the MDW file from the computer that was used to create the database. Because of this, a user could create and join a different workgroup information file, log on as the same Admin user without a password, and then be able to open your "secured" file with any permissions that were granted to the Admin user. Therefore, a properly secured database will have all permissions for the Admin user removed so that this cannot occur.

It is also possible to use multiple workgroup information files on the same compuer. This often occurs if one database is secured but others are not. Or, each database may each have its own separate security scheme for various reasons. After an Access application has been properly secured, the MDW file used while setting up the security is the only workgroup information file the database will work with. It can be copied to each local workstation or shared across a network.

Workgroup File Administration

The developer or application administrator can create additional workgroup information files using Wrkgadm.exe. This utility can be found in the following folder: This Workgroup Administrator is designed to create or join workgroup information files. Joining a specific MDW file using Workgroup Administrator makes that file the default when Microsoft Access is started by one of the following methods:

• From the Programs menu in Microsoft Windows.
• From a Desktop shortcut that points directly to the database file only
• From Windows Explorer when you double-click a database file associated with Access

An Access database can be opened by using the default workgroup information file. Or, a custom MDW file can be specified by using a desktop shortcut. Each desktop shortcut will have the Command-Line option set to start a specific database and use a specific workgroup information file secured with that database.

For example, to start an Access Database named MyApp located in a folder named MyAppFolder using the workgroup information file that was used to establish security on this application database, the command line syntax must use the /WrkGrp command-line switch and would look similar to the following example: For additional information about Command-Line Options, click the article number below to view the article in the Microsoft Knowledge Base:

Workgroup Information File Name

You can also give the workgroup information file a different name than the default name of System.mdw. Often, the workgroup information file is given the same name as the database it is securing. This helps identify it quickly from other MDW files, and associates it with the correct database file.

Another method for managing multiple workgroup information files is to place a copy of the correct workgroup information file in the same folder as the database it is associated with.

Additional or new copies of the System.mdw file can be created to use with your specific databases. If you accidentally "secure" the default copy of System.mdw, you can create a new System.mdw file in the default path. To create a new workgroup information file, follow these steps:

1. Close any open databases, and then quit Microsoft Access.
2. Search your computer for the file Wrkgadm.exe, and then double-click the file.
3. Click Create in the dialog box that appears.
4. To create a new workgroup information file, enter your User Name, the Organization Name, and a Workgroup ID. The Workgroup ID can be any string of alphanumeric characters. It must be between 8 and 20 characters long. Click OK.
5. Take note of the path and file name that is the default for the new workgroup information file. If you want it to be in another path, edit the path, or click Browse to locate the path that you want. If you also want the file name to be different, you can change the name also. If there is another Workgroup file with the same name, Access will prompt you to overwrite it or not. Click OK to proceed.
6. The next window is a confirmation window that displays all the information that you have entered. Review and click either OK to proceed, or Change if you find something that is not correct.
7. When the Workgroup file has been successfully created, a window will appear confirming this to you. Click OK in this message.
8. You can now exit the Workgroup Administrator or join another workgroup file to make it the default file.

Run-Time Access Databases

If you are using Microsoft Office 97 Developer Edition, you must include the specific secured workgroup information file for any secured database that you are distributing.

If you are not distributing a Microsoft Access database with security, then you do not have to include the workgroup information file.

For additional information about Microsoft Access security, see the "Frequently Asked Questions About Microsoft Access Security for Microsoft Access versions 2.0 Through 2000" white paper at the following Microsoft Web site: You can also download this white paper from the Microsoft Download Center at the following Microsoft Web site: For more information about command-line options, click Microsoft Access Help on the Help menu, type startup command-line options in the Office Assistant or the Answer Wizard, and then click Search to view the topics returned.